zzuf is a transparent application input fuzzer. It works by intercepting file and network operations and changing random bits in the program's input. zzuf's behaviour is deterministic, making it easy to reproduce bugs.

Specify the random seed to use for fuzzing, or a range of random seeds. Running zzuf twice with the same random seed will fuzz the files exactly the same way, even with a different target application. The purpose of this is to use simple utilities such as cat or cp to generate a file that causes the target application to crash.

If a range is specified, zzuf will run the application several times, each time with a different seed, and report the behaviour of each run. If no ‘stop’ is specified after ‘:’, zzuf will increment the seed value indefinitely.

Specify the proportion of bits that will be randomly fuzzed. A value of 0 will not fuzz anything. A value of 0.05 will fuzz 5% of the open files' bits. A value of 1.0 or more will fuzz all the bytes, theoretically making the input files undiscernible from random data. The default fuzzing ratio is 0.004 (fuzz 0.4% of the files' bits).

A range can also be specified. When doing so, zzuf will pick ratio values from the interval. The choice is deterministic and only depends on the interval bounds and the current seed.

Increment random seed each time a new file is opened. This is only required if one instance of the application is expected to open the same file several times and you want to test a different seed each time.

Stop forking when at least n children have crashed. The default value is 1, meaning zzuf will stop as soon as one child has crashed. A value of 0 tells zzuf to never stop.

Note that zzuf will not kill any remaining children once n is reached. To ensure that processes do not last forever, see the -U flag.

A process is considered to have crashed if any signal (such as, but not limited to, SIGSEGV) caused it to exit. If the -x flag is used, this will also include processes that exit with a non-zero status.

This option is only relevant if the -s flag is used with a range argument. See also the -t flag.

Specify the maximum amount of memory, in mebibytes (1 MiB = 1,048,576 bytes), that children are allowed to allocate. This is useful to detect infinite loops that eat up a lot of memory.

The value should be set reasonably high so as not to interfer with normal program operation. By default, it is set to 1024 MiB in order to avoid accidental excessive swapping. To disable the limitation, set the maximum memory usage to -1 instead.

zzuf uses the setrlimit() call to set memory usage limitations and relies on the operating system's ability to enforce such limitations.

Prevent children from installing signal handlers for signals that usually cause coredumps. These signals are SIGABRT, SIGFPE, SIGILL, SIGQUIT, SIGSEGV, SIGTRAP and, if available on the running platform, SIGSYS, SIGEMT, SIGBUS, SIGXCPU and SIGXFSZ. Instead of calling the signal handler, the application will simply crash. If you do not want core dumps, you should set appropriate limits with the limit coredumpsize command. See your shell's documentation on how to set such limits.

Automatically terminate child processes that use more than n seconds of CPU time.

zzuf uses the setrlimit() call to set CPU usage limitations and relies on the operating system's ability to enforce such limitations. If the system sends SIGXCPU signals and the application catches that signal, it will receive a SIGKILL signal after 5 seconds.

This is more accurate than -U because the behaviour should be independent from the system load, but it does not detect processes stuck into infinite select() calls because they use very little CPU time. See also the -B and -U flags.

Restrict fuzzing to bytes whose offsets in the file are within ranges.

Range values start at zero and are inclusive. Use dashes between range values and commas between ranges. If the right-hand part of a range is ommited, it means end of file. For instance, to restrict fuzzing to bytes 0, 3, 4, 5 and all bytes after offset 31, use ‘-b0,3-5,31-’.

This option is useful to preserve file headers or corrupt only a specific portion of a file.

Do not fuzz files whose name matches the regex regular expression. This option supersedes anything that is specified by the -I flag. Use this for instance if you are unsure of what files your application is going to read and do not want it to fuzz files in the /etc directory.

Multiple -E flags can be specified, in which case files matching any one of the regular expressions will be ignored.

Cherry-pick the list of file descriptors that get fuzzed. The Nth descriptor will really be fuzzed only if N is in list.

Values start at 1 and ranges are inclusive. Use dashes between values and commas between ranges. If the right-hand part of a range is ommited, it means all subsequent file descriptors. For instance, to restrict fuzzing to the first opened descriptor and all descriptors starting from the 10th, use ‘-l1,10-’.

Note that this option only affects file descriptors that would otherwise be fuzzed. Even if 10 write-only descriptors are opened at the beginning of the program, only the next descriptor with a read flag will be the first one considered by the -l flag.

Protect a list of characters so that if they appear in input data that would normally be fuzzed, they are left unmodified instead.

Characters in list can be expressed verbatim or through escape sequences. The sequences interpreted by zzuf are:

\n

new line

\r

return

\t

tabulation

\NNN

the byte whose octal value is NNN

\xNN

the byte whose hexadecimal value is NN

\\

backslash (‘\’)

You can use ‘-’ to specify ranges. For instance, to protect all bytes from ‘\001’ to ‘/’, use ‘-P '\001-/'’.

The statistical outcome of this option should not be overlooked: if characters are protected, the effect of the ‘-r’ flag will vary depending on the data being fuzzed. For instance, asking to fuzz 1% of input bits (-r0.01) and to protect lowercase characters (-P a-z) will result in an actual average fuzzing ratio of 0.9% with truly random data, 0.3% with random ASCII data and 0.2% with standard English text.

Refuse a list of characters by not fuzzing bytes that would otherwise be changed to a character that is in list. This does not prevent characters from appearing in the output if the original byte was already in list.

Only fuzz network ports that are in ranges. By default zzuf fuzzes all ports. The port considered is the listening port if the socket is listening and the destination port if the socket is connecting, because most of the time the source port cannot be predicted.

Range values start at zero and are inclusive. Use dashes between range values and commas between ranges. If the right-hand part of a range is ommited, it means end of file. For instance, to restrict fuzzing to the HTTP and HTTPS ports and to all unprivileged ports, use ‘-p80,443,1024-’.

Fuzz the input of the convert program, using file foo.jpeg as the original input and excluding .xml files from fuzzing (because convert will also open its own XML configuration files and we do not want zzuf to fuzz them):

Fuzz the input of VLC, using file movie.avi as the original input and restricting fuzzing to filenames that appear on the command line (-c), then generate fuzzy-movie.avi which is a file that can be read by VLC to reproduce the same behaviour without using zzuf:

Fuzz between 0.1% and 2% of MPlayer's input bits (-r0.001:0.02) with seeds 0 to 9999 (-s0:10000), preserving the AVI 4-byte header by restricting fuzzing to offsets after 4 (-b4-), disabling its standard output messages (-q), launching up to five simultaneous child processes (-j5) but waiting at least half a second between launches (-D0.5), killing MPlayer if it takes more than one minute to read the file (-T60) and disabling its SIGSEGV signal handler (-S):

Browse the intarweb (-n) using Firefox™ without fuzzing local files (-E.) or non-HTTP connections (-p80,8010,8080), preserving the beginning of the data sent with each HTTP response (-b4000-) and using another seed on each connection (-A):

Due to zzuf using shared object preloading (LD_PRELOAD, _RLD_LIST, DYLD_INSERT_LIBRARIES, etc.) to run its child processes, it will fail in the presence of any mechanism that disables preloading. For instance setuid root binaries will not be fuzzed when run as an unprivileged user.

For the same reasons, zzuf will also not work with statically linked binaries. Bear this in mind when using zzuf on the OpenBSD platform, where cat, cp and dd are static binaries.

Though best efforts are made, identical behaviour for different versions of zzuf is not guaranteed. The reproducibility for subsequent calls on different operating systems and with different target programs is only guaranteed when the same version of zzuf is being used.

zzuf and this manual page are free software. They come without any warranty, to the extent permitted by applicable law. You can redistribute them and/or modify them under the terms of the Do What the Fuck You Want to Public License, Version 2, as published by the WTFPL Task Force. See http://www.wtfpl.net/ for more details.